Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 04:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a51724213693fe0e8a39b388b28211d4be2c7e6d794459e7a6f0b23b4907e425.exe

  • Size

    735KB

  • MD5

    a51c02b762b1b9550a7347214c8ac876

  • SHA1

    79c76af61c5f33e949f0a60be23441aaeb95f035

  • SHA256

    a51724213693fe0e8a39b388b28211d4be2c7e6d794459e7a6f0b23b4907e425

  • SHA512

    e78db4bbe2c4e8370a159df1c2050b63b2ff83aa1d7f88294f9289132ae4f78d8c1797dc102b9fbeaf11df0b33d8743c5a9179deb07d7f4feaa36c91cd91c08c

  • SSDEEP

    12288:XMrjy90DXyur4aThTySrvZqBDDAS/KZXR2CRYiR55UuVTAHLk9cJv0g+8JEYRtS:cyALkWvZGnASoXR2CRY45UVHLmcJMCEx

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a51724213693fe0e8a39b388b28211d4be2c7e6d794459e7a6f0b23b4907e425.exe
    "C:\Users\Admin\AppData\Local\Temp\a51724213693fe0e8a39b388b28211d4be2c7e6d794459e7a6f0b23b4907e425.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5032
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9059753.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9059753.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4952144.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4952144.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:800
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2547904.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2547904.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3224
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7208848.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7208848.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1908
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7800435.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7800435.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3668
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1352
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 140
              6⤵
              • Program crash
              PID:4608
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6802449.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6802449.exe
          4⤵
          • Executes dropped EXE
          PID:1412
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3668 -ip 3668
    1⤵
      PID:3796

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9059753.exe
      Filesize

      529KB

      MD5

      a4209e9439096df979f452c5bcec5754

      SHA1

      f93c0bcdf68f2000dd5061e57e24ee8cdf8d31ab

      SHA256

      b45b28ce410ad5e46edfe5129dab7483add3f7ab710eb109cc57f03f625dcf6d

      SHA512

      786c5cd91e7714d74cfb2af3bea5511f07148a7ec809eb5709ea71896f28ab34849d536b2972f45b6c2a6ac80b325d4522ef82da5a10f3a30aa554f0be41e17b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9059753.exe
      Filesize

      529KB

      MD5

      a4209e9439096df979f452c5bcec5754

      SHA1

      f93c0bcdf68f2000dd5061e57e24ee8cdf8d31ab

      SHA256

      b45b28ce410ad5e46edfe5129dab7483add3f7ab710eb109cc57f03f625dcf6d

      SHA512

      786c5cd91e7714d74cfb2af3bea5511f07148a7ec809eb5709ea71896f28ab34849d536b2972f45b6c2a6ac80b325d4522ef82da5a10f3a30aa554f0be41e17b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4952144.exe
      Filesize

      357KB

      MD5

      2b21d1907b711eee44a4651581a3db66

      SHA1

      ab722af31c7c8bf8e42975f72774b02ee62d99ed

      SHA256

      7348dfcb2a1c781fce2c225d4f37aff573b9700919c64ef13974f6c12c1d9fcb

      SHA512

      f301f9bd480994ee5e2555e0bb7ee7a0a15c513b92250e25cf6ee140e1643ed6f84ecdf995e26e207d84ef99ee35c0362ccb4704bc4c84de54e41aa823c03b6a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4952144.exe
      Filesize

      357KB

      MD5

      2b21d1907b711eee44a4651581a3db66

      SHA1

      ab722af31c7c8bf8e42975f72774b02ee62d99ed

      SHA256

      7348dfcb2a1c781fce2c225d4f37aff573b9700919c64ef13974f6c12c1d9fcb

      SHA512

      f301f9bd480994ee5e2555e0bb7ee7a0a15c513b92250e25cf6ee140e1643ed6f84ecdf995e26e207d84ef99ee35c0362ccb4704bc4c84de54e41aa823c03b6a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6802449.exe
      Filesize

      172KB

      MD5

      d44c0e68ee38672de408ccae4d0f8b7f

      SHA1

      f75d8047f74ba6e5248c5c642dbeb92560066aa5

      SHA256

      9e5311b1372be42354e149f9872a31556f48794be4471c9bd096b30cd7803e7a

      SHA512

      77b0bb23bbb29a477220c718062507a33d94dc5153612746b007cd6b86903eb10771756a90039cda1203ba92f34fc937ff1b40b513995e341e959d2727461207

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6802449.exe
      Filesize

      172KB

      MD5

      d44c0e68ee38672de408ccae4d0f8b7f

      SHA1

      f75d8047f74ba6e5248c5c642dbeb92560066aa5

      SHA256

      9e5311b1372be42354e149f9872a31556f48794be4471c9bd096b30cd7803e7a

      SHA512

      77b0bb23bbb29a477220c718062507a33d94dc5153612746b007cd6b86903eb10771756a90039cda1203ba92f34fc937ff1b40b513995e341e959d2727461207

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2547904.exe
      Filesize

      202KB

      MD5

      56d5c73885fc2c9a1635bdad5481b85f

      SHA1

      e3a4c51d0a73ffb03d0c85edfde6b41e8f0b11c4

      SHA256

      def2c61ef2e24e9aab2be07f799154bd135fdfdd2338bf875ea5e64ecb4178ca

      SHA512

      dfbe89ba31c103b95ffc5f58ee5bb9b897cfc10319e85bb5831297b510379d60e01e1e8db6842bc394650578960d2c19fda9adb3e3f23e9e5e12c05d5b68d689

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2547904.exe
      Filesize

      202KB

      MD5

      56d5c73885fc2c9a1635bdad5481b85f

      SHA1

      e3a4c51d0a73ffb03d0c85edfde6b41e8f0b11c4

      SHA256

      def2c61ef2e24e9aab2be07f799154bd135fdfdd2338bf875ea5e64ecb4178ca

      SHA512

      dfbe89ba31c103b95ffc5f58ee5bb9b897cfc10319e85bb5831297b510379d60e01e1e8db6842bc394650578960d2c19fda9adb3e3f23e9e5e12c05d5b68d689

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7208848.exe
      Filesize

      13KB

      MD5

      c1510b25bc0838064e7a3f941aa8c056

      SHA1

      1b7e18e23a39b53d8d1e5c8601438696cdc50cb1

      SHA256

      406e902a6e5af253a40d802f748928c9243ff90491ed3826646f1f3732b88790

      SHA512

      8cfb75751800dc0396c03dc8d81fb005d595f62c9649559a8a00fabdb0fdf8d82e76d3deee0d9273f1c490b0dda85e2bda946aafff8f5001275c8fbc6c5c6165

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7208848.exe
      Filesize

      13KB

      MD5

      c1510b25bc0838064e7a3f941aa8c056

      SHA1

      1b7e18e23a39b53d8d1e5c8601438696cdc50cb1

      SHA256

      406e902a6e5af253a40d802f748928c9243ff90491ed3826646f1f3732b88790

      SHA512

      8cfb75751800dc0396c03dc8d81fb005d595f62c9649559a8a00fabdb0fdf8d82e76d3deee0d9273f1c490b0dda85e2bda946aafff8f5001275c8fbc6c5c6165

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7800435.exe
      Filesize

      117KB

      MD5

      0190c7fac717448e1aa19d4013adb411

      SHA1

      7022e8d4f1450685cc30a2b125b92a7866386e2b

      SHA256

      84d620318749e8e68d0ae64b2388605cb54081deeafd2c842327d4b8a128bf32

      SHA512

      cdf2269d17351d94431503736393bce3ab9c80cc5c04a30a56d13a42db059851b41ef93f5c6a47c7d2b079d6631fd60af040c7c1ab6624a72f4810564e0d586b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7800435.exe
      Filesize

      117KB

      MD5

      0190c7fac717448e1aa19d4013adb411

      SHA1

      7022e8d4f1450685cc30a2b125b92a7866386e2b

      SHA256

      84d620318749e8e68d0ae64b2388605cb54081deeafd2c842327d4b8a128bf32

      SHA512

      cdf2269d17351d94431503736393bce3ab9c80cc5c04a30a56d13a42db059851b41ef93f5c6a47c7d2b079d6631fd60af040c7c1ab6624a72f4810564e0d586b

      Download Submit
    • memory/1352-167-0x0000000000550000-0x000000000055A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1412-175-0x0000000000030000-0x0000000000060000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1412-176-0x000000000A3F0000-0x000000000AA08000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1412-177-0x0000000009EE0000-0x0000000009FEA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1412-178-0x0000000004920000-0x0000000004932000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1412-179-0x0000000009E10000-0x0000000009E4C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1412-180-0x0000000004940000-0x0000000004950000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1412-182-0x0000000004940000-0x0000000004950000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1908-161-0x00000000001A0000-0x00000000001AA000-memory.dmp
      Filesize

      40KB

      Download